Chapter 15: Cooperation and consistency – Unlocking the EU General Data Protection Regulation
8 min read
Previous Chapter | Next Chapter | Index of Chapters
Why does this topic matter to organisations?
Under the Directive, organisations were obliged to deal with a separate DPA for each Member State whose laws apply to them. This meant that businesses faced a range of inconsistent compliance requirements across the EU, often resulting in complexity and unpredictability. The GDPR is intended to create a more uniform approach to the regulation of data processing activities across the EU.
What types of organisations are most affected?
All organisations that are subject to the laws of multiple Member States are affected by the Consistency Mechanism and related rules regarding cooperation among DPAs, as set out below.
What should organisations do to comply?
Organisations that operate in, or are subject to the laws of, multiple Member States should:
- ensure that they understand the role of the "lead DPA" and the concept of the "One-Stop-Shop" (see Chapter 14); and
- ensure that they can identify the lead DPA and are familiar with the enforcement approach generally taken by the lead DPA.
Icons to convey information quickly
The following icons are used in the table, to clarify the impact of each change:
Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist). |
Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged). |
The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue). |
The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same). |
The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations). |
The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written). |
Issue | The Directive | The GDPR | Impact |
The Consistency Mechanism The core aim of the Consistency Mechanism is to ensure that EU data protection law is enforced uniformly across all Member States. |
Art.28(1) Under the Directive, organisations operating in more than one Member State dealt with the DPA in each Member State in which such an organisation operated. |
Rec.132-134; Art.63, 64(2) DPAs across all Member States are required to co-operate with each other and with the EDPB and the Commission, to ensure consistent application of the GDPR. |
The GDPR provides for mandatory cooperation between national DPAs and provides that cases considered to have an impact in more than one Member State may be referred to the EDPB. This should help to ensure that organisations face more consistent compliance requirements across the EU. |
Opinion of the EDPB Even if the applicable national data protection laws set similar standards across all Member States, enforcement requirements, attitudes, and standards may vary from Member State to Member State. Ensuring similar enforcement standards is a core issue for EU data protection law. |
N/A The Directive did not provide for DPAs to submit their decisions to a central authority. |
Rec.136; Art.64 DPAs must submit a draft to the EDPB before taking any of the following measures:
The EDPB may examine each such measure and issue an opinion where the matter in question affects multiple Member States. The relevant DPA must take "utmost account" of the EDPB's opinion in proceeding with its decision. |
DPAs are required to submit to the EDPB decisions that are likely to affect data subjects or organisations in multiple Member States. In theory, this will ensure that DPAs take decisions in a manner that is consistent with the approach that the other affected DPAs would take on the same issues, resulting in a more consistent application of the law across the EU. Involving the EDPB as a new step in the decision- making process may result in additional delays. |
Dispute resolution by the EDPB Where DPAs disagree with one another there is a risk of inconsistent application of data protection law across the EU. Allowing a central authority to make binding decisions reduces this risk. |
N/A The Directive did not provide for a central authority to make decisions that were binding on DPAs. |
Rec.136; Art.65 Where DPAs disagree about key data protection law issues, the EDPB will issue a binding decision, which must then be adopted by the Concerned DPA(s) within one month of notification of the EDPB's decision. |
Resolution of disputes by the EDPB should ensure a more consistent application of the GDPR. |
Urgency procedure One drawback of requiring DPAs to refer enforcement issues to a central authority is that this may lead to delays. In many cases, the delay might not prejudice the outcome of the proceedings, but there is a risk that, in some cases, it may do so. Therefore, there is a need to allow for more rapid decisions in cases of urgency. |
N/A The Directive did not directly address this issue. |
Rec.137; Art.66 Where a DPA considers there to be an urgent need to act to protect data subjects' rights, it may immediately adopt provisional measures for up to three months. A full explanation should be provided to other Concerned DPAs, the EDPB and the Commission. Urgent opinions may also be requested from the EDPB. |
This provision allows urgent measures to be taken by DPAs in exceptional circumstances. The inclusion of the EDPB in the decision- making process may result in delays, but the urgency procedure reduces this risk, to a certain extent. |
Exchange of information In order to ensure that EU data protection law is applied consistently, it is important to ensure that DPAs and the EDPB are communicating clearly. |
N/A The Directive did not directly address this issue. |
Rec.116, 168; Art.47(3), 50, 60(1), 61(3), (9), 67, 70(c), (u)-(w) The Commission may implement acts which specify arrangements for electronic exchange of information between DPAs and the EDPB. The EDPB may advise on these issues. |
This provision is designed to ensure a free flow of information between Concerned DPAs and the EDPB. |
Commentary: DPAs still have exclusive competence to regulate processing of data that only affects their own Member State
Under the GDPR, where an organisation's data processing activities only affect data subjects in a single Member State, only the DPA for that Member State has authority to enforce the GDPR against that organisation. For example, if a small business only processes the personal data of its own employees, and only has customers in its home Member State, it will generally only be regulated by its own DPA. However, a larger business that has customers all over the EU, may find itself subject to regulatory actions taken by multiple DPAs.
Organisations can minimise the difficulties that arise from dealing with multiple DPAs by ensuring that they benefit from the One-Stop-Shop (see Chapter 14).
Case law: Ability of DPAs to take action affecting other Member States
In October 2015, the CJEU issued its decision in the case of Weltimmo v Nemzeti (Case C-230/14). In that decision, the CJEU stated that each DPA is responsible for applying the Directive (as implemented through the national laws of Member States) in its own Member State. But where a controller in one Member State engages in processing affecting data subjects in another Member State, the DPA in the latter Member State may be able to take enforcement action against the controller (although only the DPA in the first Member State would have the power to fine the controller or issue formal sanctions against it).
The GDPR streamlines this approach by requiring DPAs to work together in cases of processing that affects multiple Member States (see Chapter 15). How this will work in practice remains to be seen.
Commentary: Oversight by the EDPB
Because the EDPB, and the provisions governing the Consistency Mechanism and oversight by the EDPB, have only recently become effective, it is unclear how the EDPB will fulfil its role in resolving disputes between DPAs. Historic practice indicates that there are likely to be many cases in which DPAs have different opinions about the correct application of EU data protection law (see, for example, the significantly divergent views of DPAs following the CJEU's decision in Schrems). Where DPAs disagree, the EDPB may be called in to adjudicate under Art.64. Given the potentially high numbers of disagreements, and the length of time it may take for DPAs and the EDPB to familiarise themselves with this mechanism, there may be delays until the EDPB's processes work smoothly.
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
Chapter 2: Complying with the GDPR
Chapter 3: Subject matter and scope
Chapter 4: Territorial application
Chapter 6: Data Protection Principles
Chapter 7: Legal basis for processing
Chapter 9: Rights of data subjects
Chapter 10: Obligations of controllers
Chapter 11: Obligations of processors
Chapter 12: Impact Assessments, DPOs and Codes of Conduct
Chapter 13: Cross-Border Data Transfers
Chapter 14: Data Protection Authorities
Chapter 15: Cooperation and consistency
Chapter 16: Remedies and sanctions
Chapter 17: Issues subject to national law
Chapter 18: Relationships with other laws
Our Global Data, Privacy & Cyber Security Practice
White & Case Technology Newsflash
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP